Who Enforces HIPAA?

Since the passing of the Health Insurance Portability and Accountability Act (HIPAA) Enforcement Rule in 2006, noncompliance with HIPAA can result in a significant financial penalty, but who enforces HIPAA? Which federal departments are responsible for ensuring HIPAA Rules are followed by covered entities and their business associates?

Who Enforces HIPAA?

The primary enforcer of HIPAA Rules is the Department of Health and Human Services’ Office for Civil Rights (OCR). However, the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA in 2009, saw state attorneys general given the power to assist OCR in the enforcement of HIPAA. The Centers for Medicare and Medicaid Services (CMS) also has some enforcement powers and the U.S. Food and Drug Administration (FDA) and the Federal Communications Commission (FCC) have participated in HIPAA enforcement to some degree.

HIPAA Enforcement by the HHS’ Office for Civil Rights

The HHS’ Office for Civil Rights investigates all data breaches reported by covered entities and business associates if they impact more than 500 individuals. Smaller data breaches are also occasionally investigated, especially if several small breaches of a similar nature have been reported which could indicate compliance failures. OCR also investigates HIPAA complaints filed by patients and employees of HIPAA covered entities over suspected HIPAA violations.

OCR investigates covered entities to determine whether there have been any violations of the HIPAA Privacy, Security, and Breach Notification Rules. Not all data breaches are caused as a direct result of HIPAA violations. OCR accepts that even fully compliant healthcare organizations can only reduce the risk of a data breach to a reasonable level. Data breaches are now a fact of life and cannot always be prevented. Many complaints are filed about possible HIPAA violations, although a large percentage are not substantiated. When an investigation into a data breach or complaint uncovers no evidence of HIPAA violations, the investigation is closed, the findings, documented, and no further action is taken.

When HIPAA violations are discovered, OCR can take a number of different actions. OCR prefers to resolve HIPAA violations through voluntary compliance. I.e. the covered entity accepts that HIPAA violations have occurred, and takes voluntary actions to correct the violation to prevent any repeat occurrences.

Minor violations of HIPAA Rules may be discovered that have been caused by a misinterpretation of HIPAA requirements. HIPAA legislation does not explicitly state in detail everything that a covered entity must do to comply and the legislation is technology-agnostic. The HIPAA Security Rule also contains many addressable requirements, which must be considered, but may not be appropriate for certain covered entities. HIPAA also includes terms such as ‘reasonable protections’ and ‘reasonable efforts,’ which are somewhat subjective. As a result there are some gray areas when it comes to HIPAA compliance and the legislation is, in some areas, open to interpretation.

When these ‘violations’ are discovered, OCR may chose to issue technical guidance to help a covered entity achieve compliance. When similar violations are discovered at multiple covered entities, OCR may choose to release guidance to clarify what is required.

Particularly egregious violations of HIPAA Rules, multiple violations of a similar type, and persistent and widespread non-compliance require more punitive measures and can result in financial penalties for HIPAA violations. Financial penalties are most commonly settlements, where the covered entity agrees to pay a financial penalty with no admission of liability. Far less commonly, OCR imposes a civil monetary penalty. This happens when a covered entity is determined to have violated HIPAA, yet the covered entity objects and fights the case. The matter is then presented to an Administrative Law Judge who will rule on whether whether HIPAA Rules have indeed been violated and if a CMP or the amount of the CMP is justified.

HIPAA violations can also result in criminal charges. Criminal violations of HIPAA Rules, such as theft of PHI for financial gain, are referred to the Department of Justice, although criminal charges are relatively rare.

The Office for Civil Rights also conducts HIPAA compliance audits. A pilot audit program was conducted in 2011/2012 on a selection of HIPAA-covered entities and a second round of compliance audits was conducted in 2016/2017. The second phase also included audits of business associates. The compliance audit program is primarily concerned with identifying areas of noncompliance to guide OCR’s enforcement efforts and to help OCR produce pertinent guidance, although, a failed audit may warrant further investigation and financial penalties could be issued.

HIPAA Enforcement by State Attorneys General

HIPAA enforcement by state attorneys general is possible, although since they were given the right to enforce HIPAA compliance it has been relatively rare for cases to be pursued. While all HIPAA violations are treated seriously, oftentimes, state attorneys general pursue the cases for violations of state statutes rather than violations of HIPAA Rules. There are various reasons for this, but commonly it is because it is more straightforward to take action against companies under state laws.

That said, a handful of state attorneys general have taken action against HIPAA-covered entities for HIPAA violations, as mandated by HIPAA and the HITECH Act, and the number of actions has increased in recent years. State Attorneys general that have won cases against healthcare organizations over HIPAA violations include California, Connecticut, Indiana, Massachusetts, Minnesota, New Jersey, New York, Vermont, and the District of Columbia.

The penalties that can be issued by state attorneys general are much lower than those that can be issued by OCR. The maximum financial penalty allowed under the HITECH Act is $25,000 per identical violation in a calendar year.

HIPAA Enforcement by the Centers for Medicare and Medicaid Services (CMS)

The CMS is responsible for enforcing compliance with the HIPAA Administrative Simplification Regulations. This is a lesser known aspect of HIPAA, but one of the main reasons why the legislation was originally introduced. The HIPAA Administrative Simplification Regulations improve efficiency in the healthcare industry, which ultimately helps to drive down the cost of healthcare. The HIPAA Administrative Simplification Regulations require covered entities to adopt standards for healthcare transactions, including the use of standard code sets and identifiers.

While the CMS does investigate complaints about covered entities that are not in compliance with this aspect of HIPAA Rules, its enforcement actions have not yet resulted in fines. When a violation is discovered, covered entity is required to voluntarily achieve compliance. Fines would only be necessary for continued non-compliance.

In 2019, the CMS announced that it has commenced an audit program to assess compliance with the HIPAA Administrative Simplification Regulations. In April 2019, 9 randomly selected health plans and healthcare clearinghouses were selected for audit, following which, random audits will be conducted on further health plans and healthcare clearinghouses. The audit program will also be extended to healthcare providers.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.